He ended with the statement "Proof may not be possible but then you can outsource the liability". Well actually you cannot. If you have any data subjects (that is people of corporations which you keep data about) that are residents of the Australia, Canada, European Union, or the United States then you can NEVER outsource the liability because it is incumbent on the company to secure that data. This is a legal requirement for doing business with those territories, irrespective of where the data is located.

This is one of those areas where the worlds of data management and the law collide. Data protection and privacy protection has become increasingly important since the 1990's, so much so that any corporation deploying solutions should consider the legal aspects, irrespective of where their customers are located.

Any company that holds data about another person whether on paper, or in a database has a duty to keep that data secure, whether this data is held on a local server or on an external service, which is why I say you cannot outsource the liability. According to legal principles data cannot be shared between companies, therefore SaaS based solutions need to ensure a Chinese wall exists between the data owned by each corporate user.

There is a clear difference between a small company managing their accounting on a single PC. Granted that backups and failover storage are an issue. I have managed solutions provision for both large and small corporations over many years. Security and data management are as big an issue for the small business as the global corporation. Yet in the modern world of cloud computing it does mean that a small company can have access to the same software as the global corporation. This is a big bonus to the SMB.

I know the proposition that I have painted is a bit of dichotomy, but it is a fact of life and a complex path that both Business and IT decision makers have to tread.

Related White Papers

2 Comments

Hi. Interesting commentary on security in the cloud. As you have very acurately pointed out, knowing where your data resides may be of vital importance. Security and compliance are intertwined.

One must be able to answer these questions first before considering a cloud option:
- What are the laws and regulations that impact my data and operations?
- Is my data subject to any local regulations?

Furthermore, it is very important to ask your potential cloud providors questions like:
- Where and in what countries do you have dedicated cloud facilities?
- How do you respond to legal requests for information?
- Who is responsible when things go wrong?
- How is the data used and stored? For how long?
- Do you allow client specific audits?
- Are you using another hosting company? If so, can I request an independent audit of their security status?
- Can you help me achieve compliance?

Disclaimer: Blog contents express the viewpoints of their independent authors and
are not reviewed for correctness or accuracy by
Toolbox for IT. Any opinions, comments, solutions or other commentary
expressed by blog authors are not endorsed or recommended by
Toolbox for IT
or any vendor. If you feel a blog entry is inappropriate,
click here to notify
Toolbox for IT.